lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 11 Jan 2005 00:22:09 +0100
From: "mikx" <mikx@...x.de>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>,
        <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
Subject: Firespoofing [Firefox 1.0]


__Summary

Using javascript it is possible to spoof the content of security and 
download dialogs by partly covering them with a popup window. This can fool 
a user to download and automaticly execute a file (if a file extension 
association exists) or to grant a script local data access (if codebase 
principals are enabled).

__Expected Behavior

Modal dialogs should always be on top and it should not be possible to 
obfuscate their appearance.

__Proof-of-Concept

http://www.mikx.de/firespoofing/

The PoC is designed for Firefox 1.0 running in a maximized window.

Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file 
with a standard windows file association (in this case a .ht file). BTW, 
remember the latest .ht buffer overflow...

Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are 
enabled (not default but encouraged by many XUL sites). Creates the file 
c:\booom.txt to proof local system access.

__Status

The bug is confirmed but currently unfixed (open for more than 3 months). As 
a partial workaround set dom.disable_window_flip to true in about:config. 
The vendor failed to respond to multiple status requests which led to this 
public disclosure.

2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure

__Affected Software

Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.

__Contact Informations

Michael Krax <mikx@...x.de>
http://www.mikx.de/?p=7

mikx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ